By Scott M. McAuliffe, CPA, CISA, CFE | Risk Advisory Services Partner
Part 1 of a 4 Part Series on SOC Reporting
It happens all too often, an anxious executive from a service organization calls us indicating that a prospective customer is requesting the service organization’s SOC report. The executive does a quick Google search and learns that a SOC report is an internal control report that is issued by a CPA firm. The executive wants to know how quickly they can get their report and how much it will cost.
Through these calls and countless meetings with service organizations, we have found there is a lot of education that needs to be provided to service organizations and their prospective customers. We regularly find that the type of report being requested is not appropriate given the type of service being provided. We also occasionally find that the type of service provided does not warrant a SOC report.
Determining whether you need a SOC 1 or SOC 2 report or both
For most service organizations, there are two reports that could meet the needs of its customers and the type of report depends on the nature of the service being provided.
SOC 1 Report
A SOC 1 report is appropriate for service organizations that process transactions that impact their customers’ financial statements or other customer facing financial reporting. Meaning, if the service organization processes a transaction incorrectly, it could cause their customer’s financial statements to be incorrect. For example, if a payroll service bureau incorrectly calculates their customer’s payroll for a week, their customer’s financial statement will not accurately reflect the actual payroll costs. Service organizations for whom a SOC 1 report could be appropriate include payroll service bureaus, third-party administrators, insurance or medical claims processors, and loan servicing companies to name a few.
SOC 2 Report
A SOC 2 report is provided to service organizations that provide a service where the main concern would be data security, system availability, system processing integrity, confidentiality, or privacy. Some service organizations for whom a SOC 2 report could appropriate include a SaaS provider, data center, healthcare services, and direct mailer. In each case, the service provided might not directly impact their customers’ financial statements; however, their customers could be concerned that their data is properly secured.
For a few “lucky” companies, such as a SaaS provider, both a SOC 1 and SOC 2 report could be appropriate based on the service/system provided.
Knowing this information, does your service organization need a SOC report? If so, do you need a SOC 1 or SOC 2 report or both? Is your prospective customer requesting the correct report or do you need to educate them?
Additional SOC Resources:
- When to Choose a SOC 1 vs SOC 2 Report
- What are the SOC 2 Trust Services Criteria?
- SOC 2 Documents – What you need to provide your auditor
- The Hidden Costs of a SOC 2 and How to Avoid Them
- SOC 2 Challenges – Audit Evidence
- SOC 2 Challenges – Population Completeness
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.